Archives

What the GDPR does – and doesn’t – say about consent

You may have noticed that the General Data Protection Regulation is rather in the news lately, and quite right too considering there is only a year left to prepare for the most stringent and wide-reaching privacy law the EU has yet seen. Unfortunately however, in the rush to jump onto the latest marketing bandwagon, a lot of misleading and inaccurate information posing as “advice” in order to promote products and services is flourishing and appears to be drowning out more measured and expert commentary. Having seen a worrying number of articles, advertisements, blog posts and comments all giving the same wrong message about GDPR’s “consent” requirements, I was compelled to provide a layperson’s explanation of what GDPR really says on the subject.

So, let me start by saying GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA.

and again, so we’re completely clear – GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA!!!

So what does GDPR say about consent? It says that to be allowed to process (i.e. do anything at all involving a computer or organised manual files) personal data, you must have at least one “legal basis” for doing do. Let’s call the list of legal basis “Good Reasons” for now, to keep the language friendly.

The Good Reasons are:

when you have consent to process personal data

when there is a contract between you and the individual (“data subject”) or between the individual and someone else which requires you to process their personal data in order to fulfil its terms. This also applies to any processing that is needed in order to prepare or negotiate entering into a contract. Example: buying a house

When there’s a law or legal obligation (not including a contract) that you can only comply with by processing personal data – example, accident reports for health & safety records

when someone’s vital interests are at stake unless personal data is processed (usually only applicable to life-or-death situations – e.g. the emergency services having a list of employee names to identify survivors after a building collapse)

In the public interest or when acting under official public authority – such as political parties being allowed to have a copy of the electoral register (providing they don’t take the mickey in their uses of it).

When personal data needs to be processed for an activity which is in the “legitimate interests” of the organisation (“Data Controller”) or the individual.

Now, just because consent is listed first does not mean that it is the most preferable Good Reason, the most important or the default option. It is none of those things – in fact, when considering which Good Reason applies to processing, the other options should be tested first. If you picked consent because it was top of the list and consent was later withdrawn, but you realised there was a legal obligation to continue to process the data, you would be in a pickle – either you’d be in breach of privacy law (continuing to process when consent has been withdrawn) or in breach of the other legal obligation.

Please note that opting for “legitimate interests” as the Good Reason is not a way of dodging around the prospect that consent may be withdrawn or refused, as there is anabsolute [edit; objection *can* be overridden by the Data Controller in some circumstances] right for the individual to object to the processing of their personal data when “legitimate interests” is the Good Reason for processing. All legitimate interests does is save you the effort of having to obtain and demonstrate specific, informed and freely-given consent before you can have or start using the data.

When it comes to special categories of personal data (formerly known as “sensitive personal data”), there is another set of legal basis (we’ll call these Damn Good reasons) which must also be met for the processing to be allowed. In fact, GDPR says that unless one of these Damn Good Reasons is applicable, then you’re not allowed to process special categories of personal data at all.

The Damn Good Reasons are:

When you have explicit consent

OR

When employment law, social protection law or social security law says you have to do something that requires the processing of special categories of personal data

When the processing is required in someone’s vital interests but the individual is incapable of giving consent

When the processing is necessary and carried out by a trade union, philosophical or religious non-profit organisation to administer their membership operations

When the individual has already and deliberately made the data public

When the processing is necessary to defend legal rights, legal claims or for the justice system to function

When the processing is necessary in the public interest (just like in the Good Reasons list)

When the processing is necessary in order to provide health care, treatment and management of health care services

When public health may be at risk if the processing isn’t carried out

When the processing is necessary for archiving, historical or scientific research, or statistical analysis

Again, although consent tops the list it does not mean that it should be the first choice of Damn Good Reason. As with the other list, it is wise to consider first whether there are other Damn Good Reasons that apply and only choose consent where there are no alternatives.

There is some confusion at the moment about the difference between “consent” (Good Reasons) and “explicit consent” (Damn Good Reasons), especially as GDPR says that for any consent to be valid, it must be “unambiguous”. I’m going to leave the dissection of that to greater minds than mine (see refs). However, I will say that when in doubt, go for whichever approach gives you the most solid evidence.

So that’s what GDPR says about whether and when you need consent.

HOWEVER – another law (the Privacy & Electronic Communications Regulations, aka “PECR”) says that you must have explicit prior consent before sending any unsolicited direct marketing by email. This is not the same as the Good Reason/Damn Good Reason “[explicit] consent for processing” but the separate requirements are often confused. It may be in your organisation’s legitimate interests to collect, store and analyse contact info but if you are emailing unsolicited direct marketing messages you will also need to have obtained consent for email marketing from the recipient.

A few words on mechanisms vs outcomes (if you’re still reading, congratulate yourself on your fortitude!)

‘Consent’ is an outcome – you and the individual have achieved a defined, mutually-understood, relationship in which you as a Data Controller can process their personal data for a particular purpose and in a particular way. This outcome needs to be an ongoing state of affairs. If the individual later decides to change the relationship and no longer allow you to process their data then you no longer have consent (and must stop and current or future processing).

Tickboxes, signatures and “click here” buttons are mechanisms for obtaining consent. However, if the agreement you have obtained using this mechanism is not specific, informed and freely-given then you do not have valid consent under data protection law.

Transaction logs, screen prints, signed documents and call recordings are evidence for the process of obtaining consent. These are only as good as the outcome that the process supports. If the individual has been misled, or they dispute that the processing you are doing is what they actually agreed to, or the processing purpose + Good/Damn Good Reason was not made clear to them, or they have simply changed their mind then you do not have valid consent even if you have evidence that consent was asked/supplied at one point in time. Consent is not a fire-and-forget activity, and consent obtained once is not set in stone forever.

So in order to be able to get and keep valid consent you need to have good processes for obtaining, maintaining and verifying the outcome, ie. the relationship between you and the individual. This means careful attention to training, customer service and content of privacy notices.

So, in summary (well done for getting this far!)

GDPR does not say “all processing requires consent”- and anyone who says that it does, clearly does not know what they are talking about. Ignore them.
GDPR says that sometimes you will need to get consent and when that is the case; it sets out the standards that you must meet.
Consent for unsolicited electronic marketing as required by PECR is not the same thing as consent for processing of data described in GDPR.

I hope that clears it all up.

More about consent under GDPR if that is the Good Reason/Damn Good Reason you need to use:

29 Comments

Miss Info Geek2017-05-31

It’s been pointed out to me that I haven’t mentioned the “soft opt-in” that PECR allows. I’d deliberately left it out in order to keep the post brief but in case anyone is interested; PECR currently allows email marketing to be sent when the recipient’s contact details have been obtained during the sale (or negotiations for a sale) of goods or services. It’s polite good practice to offer an immediate opt out in case people just don’t want any marketing at all, but in any case; every subsequent marketing message must also have a free mechanism to unsubscribe from future email marketing. We don’t know yet whether the final version of PECR 2.0 (the ePrivacy whatsit) will keep the soft opt-in.

Good piece, but just a few points:
You did not mention that the legitimate interest basis cannot be claimed if it overrides the interests or fundamental rights of the data subject. The GDPR A.21 also makes clear that an individual’s objection to processing can be delivered by “automated means”.
Also, the PECR is very clear (in A5.3 & R.66) that consent must be obtained before terminal (e.g. browser) storage is used.
The requirement for consent is very clearly described in the GDPR, while the public and legitimate interest bases are not. It will be a lot less risky to base processing on properly established (and managed, as you say) consent than those last 2 bases.
The PECR does not mention a “soft opt in”, The “implied consent” interpretation was from guidance given in 2012 by the ICO, derived from earlier lobbyist input into the ePrivacy process.

Valerie, you are of course quite correct that a legitimate interest of the controller is not alone a lawful basis for processing, since it has to be balanced against the interests and fundamental rights and freedoms of the data subject. However, I think that in practice it is less “risky” to process based on the legitimate interest provision than on consent.

It is extremely easy for a consent to be invalidated later and many ways to fall foul of the law. A legitimate interest basis, if supported by diligent work on the balance of interests, allows far fewer risks of clear-cut challenges. Furthermore, the justification for the balance calculation only needs to be provided following a challenge by a data subject (or potentially by a DPA, of course). Since the balancing process includes subjective judgement, I think that even a negative ruling is unlikely to lead to an administrative fine. Since the balance of interest argument can depend on the circumstances of a particular data subject, if as single person makes a challenge, the controller may be simply able to stop processing for that data subject and close the case.

Regarding the PERC “soft opt in”, Art 16.2 of the proposed ePrivacy regulation does include this. Indeed, direct marketing is recognised by the GDPR as a legitimate interest (Recital 47), but it is difficult to see how communications can be sent (in most cases) without consent as required by the PERC.

Robert, the GDPR says that information about the legitimate interests of the controller must be provided to the data subject when the data is collected – A13.1(d). It also has to be made available even if the subject did not provide the information A14..2(b).

The need for fair and transparent processing implies that this would necessarily include justification of the balance between the subject’s andthe controller’s rights.

The right to object must also be explicitly brought to the attention of the subject at the time of the first communication A21.4, and this can be exercised through “automated means using technical specifications” A21.5

Many companies will consider consent to be a less risky basis for processing, and far better because of the opportunity to get affirmative buy-in from a potential customer.

Valerie, I agree that the controller must inform the data subject of the legitimate interests it is pursuing, as you say. However, the provisions do not specify that the balance of interest algorithm has to be provided.

It is debatable whether the principles of fair and transparent processing (as mentioned in Recital 60) would require this explanation, in addition to the requirements specified in Articles 13 & 14. There is already a long list of information that has to be provided to the data subject and this could be considered a level of detail which would simply overwhelm, rather than inform the data subject.

This issue was debated in the legislative process leading to the approval and publication of the GDPR. The LIBE Committee of the European Parliament wished to include in these articles the controller’s reasons for believing that its
interests are not overridden by the data subject’s interests or fundamental rights and
freedoms. The Article 29 Working Party supported this viewpoint. The amendment proposed by the EU Parliament to this effect was not agreed for the final text and so the omission is clearly not accidental. Therefore, I think that it would be difficult to argue legally that the controller has an obligation to provide this information (until it receives a objection from a data subject).

I totally agree about the need to highlight the right to object. Indeed, in most contexts the simplest route for a controller to follow is to provide an ‘opt-out’ check box on each communication, which provides the easiest possible right to object. Once the data subject checks this box then processing would stop and the controller would be off the hook for explaining how it calculated the balance of interests.

It’s yet to be seen how much controllers will opt for consent or a legitimate interest assertion. I personally would prefer a consent-based approach, if this can be done in a way that truly empowers individuals, but I continue to believe that most companies will see a legitimate interest basis as the least risky. If a consent process is later judged invalid, it will invalidate processing of all data subjects done on this basis, whereas judgements on legitimate interest may well just be individual (both because challenges are likely to be individual and because the balancing algorithm may produce different results depending on the individual).

The requirement for consent under the ePrivacy regulation may tip the balance. I also agree that forward-looking companies, wishing to establish the strongest relationships with the potential customers will aim for an affirmative buy-in.

Robert Madge2017-07-10

Valerie, I’ve just taken a look at your website – great work!

Making consent workable is hugely valuable.

I hope that you can make it along to the MyData conference at the end of August, in Helsinki: https://mydata2017.org/

EX 1
How do we use your personal information? [or similar heading as part of privacy notice]
We may process your personal information for our legitimate business interests.
e.g. fraud prevention/direct marketing/network and information systems security/data analytics/enhancing, modifying or improving our services/identifying usage trends/determining
the effectiveness of promotional campaigns and advertising. [This section should highlight the areas where your business processes data for the purposes of its legitimate interests. Refer to Section [X] for examples of legitimate interests that your organisation may pursue.]
Click here to learn more about what we mean by legitimate interests, and when we process your data for our legitimate interests.
You have the right to object to this processing if you wish and if you wish to do so please click here

EX 2
We process personal information for certain legitimate business purposes, which include some or all of the following:
• where the processing enables us to enhance, modify, personalise or otherwise improve our services / communications for the benefit of our customers
• to identify and prevent fraud
• to enhance the security of our network and
information systems
• to better understand how people interact
with our websites
• to provide postal communications which we
think will be of interest to you
• to determine the effectiveness of promotional
campaigns and advertising.
Whenever we process data for these purposes we will ensure that we always keep your Personal Data rights in high regard and take account of these rights. You have the right to object to this processing if you wish, and if you wish to do so please click here. Please bear in mind that if you object this may affect our ability to carry out tasks above for your benefit.

EX 3
We may process your personal information for carefully considered and specific purposes which are in our interests and enable us to enhance the services we provide, but which we believe also benefit our customers. Click here to learn more about these interests and when we may process your information in this way.

FURTHER INFORMATION EXAMPLE, ON CLICK-THROUGH
“Legitimate Interests” means the interests of our company in conducting and managing our business [to enable us to give you the best service/products and the best and most secure experience].
For example, we have an interest in making sure our marketing is relevant for you, so we may process your information to send you marketing that is tailored to your interests.
It can also apply to processing that is in your interests as well.
For example, we may process your information to protect you against fraud when transacting on our website, and to ensure our websites and systems are secure.
When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests – we will not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
[Insert optional table, in which organisations may wish to include further detail]
e.g. The table below sets out further detail on the ways we process your data for our legitimate interests. If you have any concerns about the processing below, you have the right to object to processing that is based on our legitimate interests. For more information on your rights, please see “Your Rights” section below
– – –
As you can see, they are not proposing that the balance of interests calculation should be presented at this stage of the interaction with data subjects.

I should have added, regarding the “soft opt-in”, that this is indeed currently applicable in the UK under the PERC (Privacy and Electronic Communications (EC Directive) Regulations 2003), Art 22.3 (derived from Art 13.1 of the EU Directive 2002/58/EC).

Great article. One important sub-text that might be missed is that GDPR is NOT just a security issue. In fact security is likely to be the easiest part of GDPR for the business to comply with. Understanding the e2e lifecycle from obtaining the personal information, processing it, storing it, through to finally deleting it, being able to evidence all of that activity and making sure that all of those obscure business processes and systems that have not been looked at for a decade or more are in compliance with the Regulation will be a lot more challenging.

Thank you for eveгy other informative website.
Where else could I get tһat tyρe of informatіon wгitten in such a perfeϲt approach?
I’ve a project that I’m simply now rսnning on, and I have been аt the glance out for
such informatіon.

Hi, I think үour blog might be having ƅrowser compatibility issues.
When I look at yօur blⲟg in Ιe, it looҝs fine but when opening in Internet Explorer, it has some overlapping.
I just wanted to give you a quick heads up! Оtһer then thаt,
amazing blog!

You say: “If you picked consent because it was top of the list and consent was later withdrawn, but you realised there was a legal obligation to continue to process the data, you would be in a pickle – either you’d be in breach of privacy law (continuing to process when consent has been withdrawn) or in breach of the other legal obligation.”

If there are six lawful bases/good reasons for processing and the data subject withdraws their consent but you have a legal obligation to continue processing, then surely you’re still processing the data lawfully under Article 6 point c of the GDPR (“Processing shall be lawful only if and to the extent that at least one of the following applies: […] (c) processing is necessary for compliance with a legal obligation to which the controller is subject”), aren’t you?

Doesn’t that ‘at least’ mean you can have more than one lawful basis for processing? Or is it a problem because you need to have identified the lawful basis/good reason for processing before you start?

Hi Neil, thanks for your kind words.
The issue with falling back on another legal basis after consent is withdrawn is that the original processing was not; and the continued processing will no longer be “fair, lawful and transparent”. By giving the data subject (the illusion of) a choice, but then taking that choice away from them it is then very difficult to argue that the processing was ever fair in the first place. Certainly, you would be unlikely to be able to fall back on legitimate interests once consent is withdrawn/refused. If you have a legal obligation to process, then that should be the Article 6 basis, as consent will never be valid in that scenario (as it cannot be freely given). Hope that makes sense

Howdy I am so thrilled I found your blog page, I really found you by error, while I
was browsing on Askjeeve for something else, Regardless I am here now and would just like to say thanks for a tremendous post and a all round enjoyable blog (I also love the theme/design), I don’t have time to look over it all at the moment but I have bookmarked it and also added in your
RSS feeds, so when I have time I will be back to read more,
Please do keep up the superb jo.

I’ve been unimpressed by a Dun & Bradstreet doc about GDPR compliance of their marketing list selling service, alongside lists they have sold, presumably at great expense. Their basic premise is that they collect data “in a legitimate interest” (they maintain business directories), and they have obtained this data through public sources (i.e. scraping web sites, with no opportunity for any kind of consent, transparency, fairness or “informing”).

They now consider this to be *their* proprietary data which they are free to do what they like with, including selling it to 3rd parties for marketing purposes. They claim they are entitled to do this on the basis of the “B2B marketing exemption”. They say that “individuals” are free to say that they wish to opt out – however, most do not even realise they are on these lists, nor do D&B provide any mechanism that third parties can use to transmit opt-out information back to them. They have clearly filtered the data to some extent (e.g. there are no public email provider addresses like gmail), but also some of the data is clearly very old – so much for “only storing the data for as long as it is necessary”.

I think it’s all blatant abuse, wildly inconsistent, and hopefully it will come back to bite them. Ping me if you’d like a copy of the doc!

[…] with your services. First is that of consent. Not everything you do with data will require consent(9), but where it is required you are going to have to explain to users what data you are storing and […]

[…] with your services. First is that of consent. Not everything you do with data will require consent(9), but where it is required you are going to have to explain to users what data you are storing and […]

[…] with your services. First is that of consent. Not everything you do with data will require consent(9), but where it is required you are going to have to explain to users what data you are storing and […]

Since I can’t see that any of the other options but consent matches. Does this mean that every blog with comments prior to 25 May 2018 need to seek specific consent from all commentators which have not given their explicit consent? From what I’ve read so far (this post included), yes, you would have to seek explicit consent – and if you don’t, you need to remove all comments which you do not have a consent for (or at least all comments which contain any personal identifying information).

There could be a case for legitimate interests rather than consent, as long as the ways in which the data was used was balanced against the individuals’ rights and freedoms, and comprehensive privacy information was given. I don’t think that removing all comments where evidence for consent is missing would be necessary – and consent only has to be explicit if special category data is processed. Unambiguous consent should be good enough if consent is to be the basis for processing.

Compliments for the article and the site. Although I can barely see this thin grayish font ?

I think use cases do clarify things (here too). For example so called “candidate” to the job agency and her personal data and her CV.

CV is rather contentious issue in the context of GDPR. Mainly in the sub-context (ugh) of Anonymisation. Do we remove all the personal data from a CV? All of it? Some of it? What part?

These days a lot of such “candidates” is asked to give a consent. For what exactly? It seems a lot of agencies are led to believe some consent “covers” them later on for “everyhting” … marketing emails, CV exchange with other agencies etc…

1) Anonymisation cannot be used with CVs and still make them usable for recruitment. “Pseudonymisation” could be used, by removing clearly-identifiable personal information (and adding a reference number) when circulating the CV to another department, or to the client recruiting company, for comment. However, CVs contain so much specific information that the resulting CV might sill allow the person to be identified.

2) The GDPR (as previous data protection legislation) requires that a consent has to be very specific about what uses are being approved. You are describing agencies that certainly are not complying with the law.

In general, the recruitment sector will have to go through major changes in order to comply with the GDPR. We can expect that the ICO (in the UK) will choose a few culprits to fine, in order to make an example and scare the others.

WARNING - this site sets cookies! Unfortunately, I am unable to disable some of the inbuilt tracking without killing the site content. tell me more

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.